Friday, January 18, 2013

I have an environment where Active Directory GPO ensures that Script Execution Policy is set to "Allsigned". As you know, only signed script will be allowed to be executed. I will not go into the details on how to sign a script, you can look at the following link to learn more about it:

Ok, where were we? Yes, so you want to automate the process of signing bunch of scripts that already gone through some sort of gate-keeping process (you validated, tested, inspected, re-validated,re-tested,re-inspected ... and so on). Scripts are stored in a secure share \\network.location.com\Repository\scripts2Bsigned\.

Although this is not the best security practice to allow automation to sign bunch of scripts, I had to go that route for this specific instance. So svc_signer's personal store had the script-signing certificate associated with it. (IF svc_signer were to interactively logged into that server, and run certmgr.msc, it would see the correct cert under its personal store). So for this purpose, a task runs frequently to look for ps1 files in that location for signing:

In my scenario, I also decided to move the scripts to another folder, so only scripts stays in the share are those that need signing. Even if you leave the signed script there, and they get signed again, it is not a big deal.